diff --git a/build_num b/build_num
index ac182eafd..b783782d3 100644
--- a/build_num
+++ b/build_num
@@ -1 +1 @@
-#define BUILD_NUM 1623
+#define BUILD_NUM 1624
diff --git a/doc/ChangeLog b/doc/ChangeLog
index a54a77fa1..b814985c8 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,7 +1,9 @@
 2009-10-20  vadim  <vadim@vk.crocodile.org>
 
 	* NATCompiler_pf_writers.cpp (PrintRule::processNext): Added
-	support for branching NAT rules for PF.
+	support for branching NAT rules for PF. Compiler generates
+	keyword "anchor" if PF version is 4.3 or later and "nat-anchor"
+	and "rdr-anchor" for earlier versions.
 
 	* platforms.cpp (getActionNameForPlatform): Human-readable names
 	for Policy and NAT rule actions come from the platform .xml
diff --git a/src/gui/platforms.cpp b/src/gui/platforms.cpp
index 5b2eff4f9..74a53c68c 100644
--- a/src/gui/platforms.cpp
+++ b/src/gui/platforms.cpp
@@ -403,7 +403,8 @@ void getVersionsForPlatform(const QString &platform, std::list<QStringPair> &res
                 res.push_back(QStringPair("","- any -"));
                 res.push_back(QStringPair("3.x", QObject::tr("3.x")));
 		res.push_back(QStringPair("ge_3.7", QObject::tr("3.7 to 3.9")));
-                res.push_back(QStringPair("4.x", QObject::tr("4.x")));
+                res.push_back(QStringPair("4.0", QObject::tr("4.0 to 4.2")));
+                res.push_back(QStringPair("4.3", QObject::tr("4.3 and later")));
 /* add pf versions here */
             } else
             {
diff --git a/src/pflib/CompilerDriver_pf.cpp b/src/pflib/CompilerDriver_pf.cpp
index ef745db2f..60e39ee79 100644
--- a/src/pflib/CompilerDriver_pf.cpp
+++ b/src/pflib/CompilerDriver_pf.cpp
@@ -246,7 +246,8 @@ void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw)
     // and generate 'set skip on <ifspec>' commands
 
     if (fw->getStr("version")=="ge_3.7" ||
-        fw->getStr("version")=="4.x") 
+//        fw->getStr("version")=="4.x") 
+        XMLTools::version_compare(fw->getStr("version"), "4.0")>=0)
     {
         for (list<FWObject*>::iterator i=all_interfaces.begin();
              i!=all_interfaces.end(); ++i) 
diff --git a/src/pflib/CompilerDriver_pf_run.cpp b/src/pflib/CompilerDriver_pf_run.cpp
index 2f4826d61..3bc54cb2a 100644
--- a/src/pflib/CompilerDriver_pf_run.cpp
+++ b/src/pflib/CompilerDriver_pf_run.cpp
@@ -181,7 +181,9 @@ QString CompilerDriver_pf::assembleFwScript(Firewall* fw, bool cluster_member, O
     if (fw->getStr("platform") == "pf")
     {
         script_skeleton.setVariable("pf_flush_states", options->getBool("pf_flush_states"));
-        script_skeleton.setVariable("pf_version_ge_4_x", fw->getStr("version")=="4.x");
+        script_skeleton.setVariable("pf_version_ge_4_x", // fw->getStr("version")=="4.x");
+                                    XMLTools::version_compare(fw->getStr("version"), "4.0")>=0);
+
     } else
     {
         script_skeleton.setVariable("pf_flush_states", 0);
@@ -331,6 +333,17 @@ string CompilerDriver_pf::run(const std::string &cluster_id,
             if (!nat->matchingAddressFamily(policy_af)) continue;
 
             string ruleset_name = nat->getName();
+
+            if (ruleset_name.find("/*")!=string::npos)
+            {
+                QString err("The name of the policy ruleset %1"
+                            " ends with '/*', assuming it is externally"
+                            " controlled and skipping it.");
+                warning(fw, nat, NULL,
+                        err.arg(ruleset_name.c_str()).toStdString());
+                continue;
+            }
+
             if (nat->isTop())
                 ruleset_name = "__main__";
 
diff --git a/src/pflib/NATCompiler_pf.h b/src/pflib/NATCompiler_pf.h
index 5c50cadff..373a6dc13 100644
--- a/src/pflib/NATCompiler_pf.h
+++ b/src/pflib/NATCompiler_pf.h
@@ -348,7 +348,12 @@ namespace fwcompiler {
 	 */
         class PrintRule : public NATRuleProcessor
         {
-            protected:
+            void _printAnchorRule(const std::string &anchor_command,
+                                  const std::string &ruleset_name,
+                                  const std::string &interface_name,
+                                  libfwbuilder::NATRule *rule);
+                
+    protected:
             bool                             init;
             std::string                      current_rule_label;
 
diff --git a/src/pflib/NATCompiler_pf_writers.cpp b/src/pflib/NATCompiler_pf_writers.cpp
index 3183ef1a5..ee54488a6 100644
--- a/src/pflib/NATCompiler_pf_writers.cpp
+++ b/src/pflib/NATCompiler_pf_writers.cpp
@@ -81,6 +81,8 @@ bool NATCompiler_pf::PrintRule::processNext()
 
     tmp_queue.push_back(rule);
 
+    string version = compiler->fw->getStr("version");
+
     if (!compiler->inSingleRuleCompileMode())
     {
         string rl=rule->getLabel();
@@ -246,19 +248,16 @@ bool NATCompiler_pf::PrintRule::processNext()
             // in test mode compiler->abort() does not really abort the program
             ruleset_name = "UNKNOWN";
         }
-        compiler->output << "anchor \"" << ruleset_name << "\" ";
 
-        if (iface_name!="") compiler->output << "on " << iface_name << " ";
-        if (!osrv->isAny() || !osrcrel->isAny() || !odstrel->isAny())
+        if (XMLTools::version_compare(version, "4.2")>=0)
         {
-            _printProtocol(osrv);
-            compiler->output  << "from ";
-            _printREAddr( osrcrel );
-            compiler->output  << "to ";
-            _printREAddr( odstrel );
-            _printPort(osrv, true);
+            _printAnchorRule("anchor", ruleset_name, iface_name, rule);
+        } else
+        {
+            _printAnchorRule("nat-anchor", ruleset_name, iface_name, rule);
+            _printAnchorRule("rdr-anchor", ruleset_name, iface_name, rule);
         }
-	compiler->output  << endl;
+
     }
     break;
 
@@ -268,6 +267,30 @@ bool NATCompiler_pf::PrintRule::processNext()
     return true;
 }
 
+void NATCompiler_pf::PrintRule::_printAnchorRule(const string &anchor_command,
+                                                 const std::string &ruleset_name,
+                                                 const std::string &interface_name,
+                                                 NATRule *rule)
+{
+    RuleElementOSrc *osrcrel = rule->getOSrc();
+    RuleElementODst *odstrel = rule->getODst();
+    RuleElementOSrv *osrvrel = rule->getOSrv();
+    Service *osrv = compiler->getFirstOSrv(rule);
+
+    compiler->output << anchor_command << " \"" << ruleset_name << "\" ";
+    if (interface_name!="") compiler->output << "on " << interface_name << " ";
+    if (!osrvrel->isAny() || !osrcrel->isAny() || !odstrel->isAny())
+    {
+        _printProtocol(osrv);
+        compiler->output  << "from ";
+        _printREAddr( osrcrel );
+        compiler->output  << "to ";
+        _printREAddr( odstrel );
+        _printPort(osrv, true);
+    }
+    compiler->output  << endl;
+}
+
 void NATCompiler_pf::PrintRule::_printProtocol(Service *srv)
 {
     // CustomService returns protocol name starting with v3.0.4
diff --git a/src/pflib/PolicyCompiler_pf_writers.cpp b/src/pflib/PolicyCompiler_pf_writers.cpp
index 8a74e026c..cc64b637f 100644
--- a/src/pflib/PolicyCompiler_pf_writers.cpp
+++ b/src/pflib/PolicyCompiler_pf_writers.cpp
@@ -44,6 +44,7 @@
 #include "fwbuilder/IPv4.h"
 #include "fwbuilder/DNSName.h"
 #include "fwbuilder/AddressTable.h"
+#include "fwbuilder/XMLTools.h"
 
 #include <iostream>
 #if __GNUC__ > 3 || \
@@ -945,7 +946,8 @@ bool PolicyCompiler_pf::PrintRule::processNext()
         {
             // tcp service, no special flag match
 
-            if ( version == "4.x")
+//            if ( version == "4.x")
+            if (XMLTools::version_compare(version, "4.0")>=0)
             {
                 if (compiler->getCachedFwOpt()->getBool(
                         "accept_new_tcp_with_no_syn") )
@@ -1005,7 +1007,8 @@ bool PolicyCompiler_pf::PrintRule::processNext()
                  * interface. Adding rule option "Set 'keep state'
                  * explicitly" to cope with this.
                  */
-                if ( version != "4.x" ||
+                if (XMLTools::version_compare(version, "4.0") < 0 ||
+              //if ( version != "4.x" ||
                      compiler->getCachedFwOpt()->getBool("pf_keep_state"))
                     compiler->output << "keep state ";
             }
@@ -1093,7 +1096,8 @@ bool PolicyCompiler_pf::PrintRule::processNext()
     } else
     {
         // stateless rule
-        if ( version == "4.x")
+        if (XMLTools::version_compare(version, "4.0")>=0)
+      //if ( version == "4.x")
             // v4.x, stateless rule
             compiler->output << "no state ";
     }
diff --git a/test/pf/objects-for-regression-tests.fwb b/test/pf/objects-for-regression-tests.fwb
index a5c24c588..130865c04 100644
--- a/test/pf/objects-for-regression-tests.fwb
+++ b/test/pf/objects-for-regression-tests.fwb
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1256083160" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="13" lastModified="1256085763" id="root">
   <Library id="sysid99" name="Deleted Objects" comment="" ro="False">
     <ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
     <Library id="id40E233F3" color="#FFFFFF" name="West Coast" comment="" ro="False">
@@ -1096,11 +1096,7 @@
       </FirewallOptions>
     </Firewall>
     <ObjectRef ref="id34697X75509"/>
-    <ObjectRef ref="net-Internal_net"/>
     <ObjectRef ref="id19505X46601"/>
-    <ObjectRef ref="sysid0"/>
-    <ObjectRef ref="sysid0"/>
-    <ObjectRef ref="sysid0"/>
   </Library>
   <Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
     <ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
@@ -16128,7 +16124,7 @@
           <Option name="use_tables">True</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id19494X46601" host_OS="freebsd" inactive="False" lastCompiled="1256083190" lastInstalled="0" lastModified="1256083185" platform="pf" version="4.x" name="firewall21" comment="branching in NAT rules" ro="False">
+      <Firewall id="id19494X46601" host_OS="freebsd" inactive="False" lastCompiled="1256085788" lastInstalled="0" lastModified="1256085759" platform="pf" version="4.0" name="firewall21" comment="branching in NAT rules&#10;PF v4.0-4.2" ro="False">
         <NAT id="id19574X46601" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="id19575X46601" disabled="False" position="0" action="NATBranch" comment="">
             <OSrc neg="False">
@@ -16151,12 +16147,12 @@
             </TSrv>
             <NATRuleOptions>
               <Option name="action_on_reject"></Option>
-              <Option name="branch_id">id28067X46601</Option>
+              <Option name="branch_id">id19696X53465</Option>
               <Option name="classify_str"></Option>
               <Option name="custom_str"></Option>
               <Option name="ipf_route_opt_addr"></Option>
               <Option name="ipf_route_opt_if"></Option>
-              <Option name="ipf_route_option">route_through</Option>
+              <Option name="ipf_route_option">route_reply_through</Option>
               <Option name="ipfw_classify_method">2</Option>
               <Option name="ipfw_pipe_port_num">0</Option>
               <Option name="ipfw_pipe_queue_num">0</Option>
@@ -16286,6 +16282,7 @@
             <NATRuleOptions/>
           </NATRule>
         </NAT>
+        <NAT id="id19696X53465" name="ftp-proxy/*" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False"/>
         <Policy id="id19513X46601" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <PolicyRule id="id19562X46601" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
             <Src neg="False">
@@ -16353,6 +16350,280 @@
           <Option name="inst_cmdline"></Option>
           <Option name="inst_script"></Option>
           <Option name="install_script"></Option>
+          <Option name="ipt_mangle_only_rulesets"></Option>
+          <Option name="limit_suffix">/day</Option>
+          <Option name="limit_value">0</Option>
+          <Option name="linux24_ip_forward">0</Option>
+          <Option name="linux24_tcp_fin_timeout">30</Option>
+          <Option name="linux24_tcp_keepalive_interval">1800</Option>
+          <Option name="load_modules">False</Option>
+          <Option name="log_all_dropped">False</Option>
+          <Option name="log_ip_opt">False</Option>
+          <Option name="log_level">debug</Option>
+          <Option name="log_limit_suffix">/second</Option>
+          <Option name="log_limit_value">0</Option>
+          <Option name="log_prefix"></Option>
+          <Option name="log_tcp_opt">False</Option>
+          <Option name="log_tcp_seq">False</Option>
+          <Option name="manage_virtual_addr">True</Option>
+          <Option name="modulate_state">False</Option>
+          <Option name="no_iochains_for_any">False</Option>
+          <Option name="no_optimisation">False</Option>
+          <Option name="openbsd_path_pfctl"></Option>
+          <Option name="openbsd_path_sysctl"></Option>
+          <Option name="pass_all_out">False</Option>
+          <Option name="pf_do_scrub">True</Option>
+          <Option name="pf_limit_frags">5000</Option>
+          <Option name="pf_limit_states">10000</Option>
+          <Option name="pf_optimization"></Option>
+          <Option name="pf_scrub_fragm_crop">False</Option>
+          <Option name="pf_scrub_fragm_drop_ovl">False</Option>
+          <Option name="pf_scrub_maxmss">1460</Option>
+          <Option name="pf_scrub_minttl">1</Option>
+          <Option name="pf_scrub_no_df">False</Option>
+          <Option name="pf_scrub_random_id">False</Option>
+          <Option name="pf_scrub_use_maxmss">False</Option>
+          <Option name="pf_scrub_use_minttl">False</Option>
+          <Option name="pf_timeout_frag">30</Option>
+          <Option name="pf_timeout_interval">10</Option>
+          <Option name="platform">iptables</Option>
+          <Option name="proxy_arp">False</Option>
+          <Option name="script_env_path"></Option>
+          <Option name="snmp_contact"></Option>
+          <Option name="snmp_description"></Option>
+          <Option name="snmp_location"></Option>
+          <Option name="use_ip_tool">False</Option>
+          <Option name="use_numeric_log_levels">False</Option>
+          <Option name="use_tables">True</Option>
+        </FirewallOptions>
+      </Firewall>
+      <Firewall id="id19695X55350" host_OS="freebsd" inactive="False" lastCompiled="1256085789" lastInstalled="0" lastModified="1256085779" platform="pf" version="4.3" name="firewall22" comment="branching in NAT rules&#10;PF v4.3 and later" ro="False">
+        <NAT id="id19729X55350" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <NATRule id="id19730X55350" disabled="False" position="0" action="NATBranch" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <NATRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="branch_id">id19696X53465</Option>
+              <Option name="classify_str"></Option>
+              <Option name="custom_str"></Option>
+              <Option name="ipf_route_opt_addr"></Option>
+              <Option name="ipf_route_opt_if"></Option>
+              <Option name="ipf_route_option">route_reply_through</Option>
+              <Option name="ipfw_classify_method">2</Option>
+              <Option name="ipfw_pipe_port_num">0</Option>
+              <Option name="ipfw_pipe_queue_num">0</Option>
+              <Option name="ipt_continue">False</Option>
+              <Option name="ipt_gw"></Option>
+              <Option name="ipt_iif"></Option>
+              <Option name="ipt_mark_connections">False</Option>
+              <Option name="ipt_oif"></Option>
+              <Option name="ipt_tee">False</Option>
+              <Option name="pf_fastroute">False</Option>
+              <Option name="pf_route_load_option">none</Option>
+              <Option name="pf_route_opt_addr"></Option>
+              <Option name="pf_route_opt_if"></Option>
+              <Option name="pf_route_option">none</Option>
+              <Option name="rule_name_accounting"></Option>
+            </NATRuleOptions>
+          </NATRule>
+          <NATRule id="id19744X55350" disabled="False" group="" position="1" action="NATBranch" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <NATRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="branch_id">id28067X46601</Option>
+              <Option name="classify_str"></Option>
+              <Option name="custom_str"></Option>
+              <Option name="ipf_route_opt_addr"></Option>
+              <Option name="ipf_route_opt_if"></Option>
+              <Option name="ipf_route_option">route_through</Option>
+              <Option name="ipfw_classify_method">2</Option>
+              <Option name="ipfw_pipe_port_num">0</Option>
+              <Option name="ipfw_pipe_queue_num">0</Option>
+              <Option name="ipt_continue">False</Option>
+              <Option name="ipt_gw"></Option>
+              <Option name="ipt_iif"></Option>
+              <Option name="ipt_mark_connections">False</Option>
+              <Option name="ipt_oif"></Option>
+              <Option name="ipt_tee">False</Option>
+              <Option name="pf_fastroute">False</Option>
+              <Option name="pf_route_load_option">none</Option>
+              <Option name="pf_route_opt_addr"></Option>
+              <Option name="pf_route_opt_if"></Option>
+              <Option name="pf_route_option">none</Option>
+              <Option name="rule_name_accounting"></Option>
+            </NATRuleOptions>
+          </NATRule>
+          <NATRule id="id19758X55350" disabled="False" group="" position="2" action="NATBranch" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id19706X55350"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <NATRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="branch_id">id28067X46601</Option>
+              <Option name="classify_str"></Option>
+              <Option name="custom_str"></Option>
+              <Option name="ipf_route_opt_addr"></Option>
+              <Option name="ipf_route_opt_if"></Option>
+              <Option name="ipf_route_option">route_through</Option>
+              <Option name="ipfw_classify_method">2</Option>
+              <Option name="ipfw_pipe_port_num">0</Option>
+              <Option name="ipfw_pipe_queue_num">0</Option>
+              <Option name="ipt_continue">False</Option>
+              <Option name="ipt_gw"></Option>
+              <Option name="ipt_iif"></Option>
+              <Option name="ipt_mark_connections">False</Option>
+              <Option name="ipt_oif"></Option>
+              <Option name="ipt_tee">False</Option>
+              <Option name="pf_fastroute">False</Option>
+              <Option name="pf_route_load_option">none</Option>
+              <Option name="pf_route_opt_addr"></Option>
+              <Option name="pf_route_opt_if"></Option>
+              <Option name="pf_route_option">none</Option>
+              <Option name="rule_name_accounting"></Option>
+            </NATRuleOptions>
+          </NATRule>
+        </NAT>
+        <NAT id="id19772X55350" name="NAT_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
+          <NATRule id="id19773X55350" disabled="False" position="0" action="Translate" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id19695X55350"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </TSrv>
+            <NATRuleOptions/>
+          </NATRule>
+        </NAT>
+        <NAT id="id19787X55350" name="ftp-proxy/*" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False"/>
+        <Policy id="id19716X55350" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <PolicyRule id="id19717X55350" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+        </Policy>
+        <Routing id="id19788X55350" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
+        <Interface id="id19701X55350" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
+          <IPv4 id="id19704X55350" name="firewall22:en1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <Interface id="id19706X55350" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
+          <IPv4 id="id19709X55350" name="firewall22:en0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <Interface id="id19711X55350" dyn="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
+          <IPv4 id="id19714X55350" name="firewall22:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <Management address="127.0.0.1">
+          <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
+          <FWBDManagement enabled="True" identity="" port="9999"/>
+          <PolicyInstallScript arguments="" command="" enabled="False"/>
+        </Management>
+        <FirewallOptions>
+          <Option name="accept_established">True</Option>
+          <Option name="accept_new_tcp_with_no_syn">True</Option>
+          <Option name="action_on_reject">ICMP net unreachable</Option>
+          <Option name="check_shading">True</Option>
+          <Option name="clamp_mss_to_mtu">False</Option>
+          <Option name="cmdline"></Option>
+          <Option name="compiler"></Option>
+          <Option name="configure_interfaces">False</Option>
+          <Option name="debug">False</Option>
+          <Option name="dyn_addr">False</Option>
+          <Option name="firewall_dir"></Option>
+          <Option name="firewall_is_part_of_any">True</Option>
+          <Option name="firewall_is_part_of_any_and_networks">True</Option>
+          <Option name="freebsd_ip_forward"></Option>
+          <Option name="freebsd_ip_redirect"></Option>
+          <Option name="freebsd_ip_sourceroute"></Option>
+          <Option name="freebsd_ipv6_forward"></Option>
+          <Option name="freebsd_path_ipf"></Option>
+          <Option name="freebsd_path_ipnat"></Option>
+          <Option name="freebsd_path_pfctl">/usr/local/bin/pfctl</Option>
+          <Option name="freebsd_path_sysctl"></Option>
+          <Option name="ignore_empty_groups">False</Option>
+          <Option name="in_out_code">True</Option>
+          <Option name="inst_cmdline"></Option>
+          <Option name="inst_script"></Option>
+          <Option name="install_script"></Option>
+          <Option name="ipt_mangle_only_rulesets"></Option>
           <Option name="limit_suffix">/day</Option>
           <Option name="limit_value">0</Option>
           <Option name="linux24_ip_forward">0</Option>